Modes of operation and random numbers Flashcards
What is the purpose of having multiple modes of operation for block ciphers?
The different modes can provide different things. Some modes can be designed to provide confidentiality for data, authentication (and integrity) or both.
What is one thing that confidentiality modes normally must include?
Randomisation
What does randomised encryption schemes want to prevent?
The same plaintext block being encrypted to the same ciphertext block every time
How can randomisation be achieved in block ciphers?
Using an initialisation vector. This needs to be unique or random.
Can be achieved by including a variable state which is updated with each block.
What are some other features of modes?
Can allow parallel processing, enc and/or dec in parallel.
Error propagation: error in C result in multiple bit-errors in P after decryption
Why is padding used in some modes?
Some modes require plaintext to consist of complete blocks
What is ciphertext stealing?
An alternative to padding.
What is the ECB mode?
Enc:
Ct = E(Pt, K), plaintext block Pt
Dec:
Pt = D(Ct, K)
Blocks are appended to each other to make the message.
Why is ECB mode normally not used for bulk encryption?
Because it is deterministic
What are the properties of ECB?
Randomised: No
Padding: Required
Error propagation: Within block
IV: Not used
Parallel encryption: Yes
Parallel decryption: Yes
Describe the CBC mode
Random IV, sent together with the ciphertext
Enc:
Ct = E(Pt XOR Ct-1, K)
C0 = IV
Dec:
Pf = D(Ct, K) XOR Ct-1
C0 = IV
How does error propagate through CBC?
An bit error in block n result in a plaintext error for the block n, and a flipped bit in block n + 1,
What are the properties of CBC?
Randomised: Yes
Padding: Required
Error propagation: Within block, and into specific bits of next block
IV: Must be random
Parallel Enc: No
Parallel Dec: Yes
Describe CTR mode
Synchronous stream cipher.
Keystream generated by enc successive values of a ‘counter’ initialised using a nonce N.
The nonce and C-blocks are sent
Ot = E(Tt, K)
Tt: Concatination of nonce and block number t
Enc:
Ct = Ot XOR Pt
Dec:
Pt = Ot XOR Ct
What is a nonce in CTR mode?
A randomly chosen value
How is error propagated in CTR mode?
A one-bit change in C block n, produces a one-bit error in the plaintext at the same location
What are the properties of CTR mode?
Randomised: Yes
Padding: Not required
Error propagation: Error occur in specific bits of current block
IV: Nonce must be unique
Parallel Enc: Yes
Parallel Dec: Yes
When can using CTR mode be useful?
For access to specific P blocks without decrypting the whole stream
Where is CTR mode used today?
Basis for authenticated encryption in TLS 1.3 and 1.3
What is a TRNG?
True random number generator.
A physical process which outputs each valid string independently, with equal probability
What is a PRNG?
Pseudo random number generator
Deterministic algorithm which approximates TRNG
How can PRNG and TRNG be combined?
May use TRNG to provide a seed for a PRNG
What is DRBG?
Deterministic Random Bit Generators. These are PRNG algorithms
Based on:
Hash functions
A specific MAC known as HMAC
Block ciphers in counter mode
How does PRNGs work?
Each generator takes a seed as input and outputs a bit string. Then its state is updated.
Seed should be updated after a number of calls
Seed can be obtained from TRNG
What are entropy sources?
Framework for design and validation of TRNGs
Includes physical noise source, digitalization process, and post-processing stages
Outputs any number of bits
What are the functions of DRBGs?
Instantiate: Sets initial state of DRBG using seed
Generate: Provides output bit string
Reseed: Input new seed and update DRBG state
Test: Checks correct operation of the other functions
Uninstantiate: Deletes the state of the DRGB
How is security defined for DRBGs?
Ability to destinguish reliably between its output and a truly random string.
2 properties: Backtracking resistance and forward prediction resistanse
What is backtracking resistance?
If we have the current state, should not be able to distinguish between the output of earlier calls to the DRBG generate function, and random strings
What is forward prediction resistance?
If we have the current state, should not be able to distinguish between the later outputs and random strings
What is CTR_DRBG?
Uses block with CTR (AES-128 recommended)
Seed length is block-length + key length
Key and state (counter) is defived from high entropy seed. No separate nonce is used
Counter mode enc is run iteratively with no Plaintext added and output blocks form the output
Define the update function in CTR_DRBG
Used in initialise, generate and reseed functions to generate new key and state.
Input: K and V (state/counter) and optional data input D
Output: K’ and V’
Computation for block size = key size:
- Generate new block O1 = E(V,K)
- Increment V
- O2 = E(V, K)
- K’ || V’ = (O1 || O2) XOR D
How does the instantiate function work in CTR_DRBG?
Calls update with D equial to high entroy seed, K and V are zero strings
How does the generate function work in CTR_DRBG?
Computes up to 2^19 bits by running CTR mode output from current state.
Update is then called with D empty
How does the reseed function work in CTR_DRBG?
Update with D as high entropy input, K and V in current state
How many calls can be made to Generate before Reseed must be called, according to the standard for CTR_DRBG?
2^48
In CTR_DRBG what provides backtracking resistance?
Update and Reseed
In CTR_DRBG what provides forward prediction resistance?
Reseed
What is Dual_EC_DRBG?
Older standard
Based on elliptic curve discrete logarithm problem
Slower than other DRBGs
No security proof exist,
What are Cryptographically-secure pseudorandom number generators (CSPRNGs)?
Algorithms, that given an unpredictable input, a much larger stream of unpredictable outputs are generated.
